溫馨提示×
您好,登錄后才能下訂單哦!
點擊 登錄注冊 即表示同意《億速云用戶服務條款》
您好,登錄后才能下訂單哦!
需求:各個部門使用無線的用戶,只能連接到部門所屬的VLAN。
環境:
網絡設備 :核心交換H3C S5500(192.168.10.254),接入層POE H3C S5130(192.168.10.253), AC為H3C WX2560H(192.168.10.252),AP為WA4320;
服務器:域/DHCP服務器(192.168.20.1),NPS服務器(192.168.20.2)
VLAN分為10、20、30、40、50、60,其中10為網絡設備網段,20為Windows服務器網段,30為AP網段,40\50\60為用戶所屬生產網段;10\20\30由核心交換機分配地址,40\50\60由核心交換中繼到Windows DHCP服務器進行分配IP地址。
一、交換機配置:
核心交換S5500:
<S5500>dis?cur #??version?7.1.045,?Release?3116 #??sysname?S5500 #??clock?timezone?Lisbon?add?00:00:00??clock?protocol?none #??telnet?server?enable #??irf?mac-address?persistent?timer??irf?auto-update?enable??undo?irf?link-delay??irf?member?1?priority?1 #??dhcp?enable??dhcp?server?forbidden-ip?192.168.10.1?192.168.10.10??dhcp?server?forbidden-ip?192.168.20.1?192.168.20.10 #??lldp?global?enable #??password-recovery?enable # vlan?1??????????# vlan?10 # vlan?20 # vlan?30 # vlan?40 # vlan?50 # vlan?60 #10??stp?global?enable # dhcp?server?ip-pool?10??gateway-list?192.168.10.254??network?192.168.10.0?mask?255.255.255.0??dns-list?192.168.20.1 # dhcp?server?ip-pool?20??gateway-list?192.168.20.254??network?192.168.20.0?mask?255.255.255.0??dns-list?192.168.20.1 # dhcp?server?ip-pool?30??????????????gateway-list?192.168.30.254??network?192.168.30.0?mask?255.255.255.0??dns-list?192.168.20.1??option?43?hex?8007000001c0a80afc????????????#AP網段為30,AC網段為10,AP跨網段注冊時在DHCP上要配置optin43選項,即AC的16進制地址 # interface?NULL0 # interface?Vlan-interface1??ip?address?192.168.0.233?255.255.255.0 # interface?Vlan-interface10??ip?address?192.168.10.254?255.255.255.0 # interface?Vlan-interface20??ip?address?192.168.20.254?255.255.255.0 # interface?Vlan-interface30??ip?address?192.168.30.254?255.255.255.0 # interface?Vlan-interface40??ip?address?192.168.40.254?255.255.255.0??dhcp?select?relay??dhcp?relay?server-address?192.168.20.1 # interface?Vlan-interface50??ip?address?192.168.50.254?255.255.255.0??dhcp?select?relay??dhcp?relay?server-address?192.168.20.1 # interface?Vlan-interface60??ip?address?192.168.60.254?255.255.255.0??dhcp?select?relay??dhcp?relay?server-address?192.168.20.1 # interface?GigabitEthernet1/0/1 # interface?GigabitEthernet1/0/2 # interface?GigabitEthernet1/0/3 # interface?GigabitEthernet1/0/4 # interface?GigabitEthernet1/0/5 # interface?GigabitEthernet1/0/6 # interface?GigabitEthernet1/0/7 # interface?GigabitEthernet1/0/8 # interface?GigabitEthernet1/0/9 # interface?GigabitEthernet1/0/10 # interface?GigabitEthernet1/0/11 # interface?GigabitEthernet1/0/12 # interface?GigabitEthernet1/0/13 # interface?GigabitEthernet1/0/14 # interface?GigabitEthernet1/0/15 # interface?GigabitEthernet1/0/16 #???????????????interface?GigabitEthernet1/0/17 #下聯S5130??port?link-type?trunk??port?trunk?permit?vlan?all??combo?enable?copper # interface?GigabitEthernet1/0/18 #下聯AC?WX2560H??port?link-type?trunk??port?trunk?permit?vlan?all??combo?enable?copper # interface?GigabitEthernet1/0/19??combo?enable?copper # interface?GigabitEthernet1/0/20??combo?enable?copper # interface?GigabitEthernet1/0/21??combo?enable?copper # interface?GigabitEthernet1/0/22??combo?enable?copper # interface?GigabitEthernet1/0/23??port?access?vlan?10??combo?enable?copper # interface?GigabitEthernet1/0/24??port?access?vlan?20??combo?enable?copper # interface?GigabitEthernet1/0/25 # interface?GigabitEthernet1/0/26 # interface?GigabitEthernet1/0/27 # interface?GigabitEthernet1/0/28 #??scheduler?logfile?size?16 # line?class?aux??user-role?network-admin # line?class?vty??user-role?network-operator #???????????????line?aux?0??user-role?network-admin # line?vty?0?63??authentication-mode?scheme??user-role?network-admin??user-role?network-operator??idle-timeout?0?0 #??snmp-agent??snmp-agent?local-engineid?800063A2803CF5CC29A26100000001??snmp-agent?community?write?private??snmp-agent?community?read?public??snmp-agent?sys-info?version?all??# domain?system #??aaa?session-limit?http?6??aaa?session-limit?https?6??domain?default?enable?system # role?name?level-0??description?Predefined?level-0?role # role?name?level-1??description?Predefined?level-1?role # role?name?level-2??description?Predefined?level-2?role # role?name?level-3??description?Predefined?level-3?role # role?name?level-4??description?Predefined?level-4?role # role?name?level-5??description?Predefined?level-5?role # role?name?level-6??description?Predefined?level-6?role # role?name?level-7??description?Predefined?level-7?role # role?name?level-8??description?Predefined?level-8?role # role?name?level-9??description?Predefined?level-9?role # role?name?level-10??description?Predefined?level-10?role # role?name?level-11??description?Predefined?level-11?role # role?name?level-12??description?Predefined?level-12?role # role?name?level-13??description?Predefined?level-13?role # role?name?level-14??description?Predefined?level-14?role # user-group?system # local-user?admin?class?manage??password?hash?$h$6$m6G0XrvVo3KCxzlo$ZiSUweumlOHswdjZOF9eac28c8rKCP4001GBXyfQp444n0ETJiRF6TJJNHE9Sh+eEChM11nlVTbZ5v6c8juKyA==??service-type?telnet?terminal?http?https??authorization-attribute?user-role?network-admin??authorization-attribute?user-role?network-operator #??netconf?soap?http?enable??netconf?soap?https?enable #??ip?http?enable??ip?https?enable # return <S5500>
POE S5130:
具體配置省略,關鍵信息為: 1、開啟端口POE功能; 2、由于要配置AP自動上線,所以此交換機連接AP的端口模式均配置為access模式,VLAN為AP所屬VLAN30;
AC WX2560H:
<WX2560H>dis?cur #??version?7.1.064,?Release?5215P01 #??sysname?WX2560H #??telnet?server?enable #??dot1x #啟用dot1x,配置802.1x系統認證方位為EAP??dot1x?authentication-method?eap #??password-recovery?enable # vlan?1 # vlan?10 # vlan?20 # vlan?30 # vlan?40 # vlan?50 #???????????????wlan?service-template?1 #無線模版配置??ssid?service1??akm?mode?dot1x??cipher-suite?ccmp??security-ie?rsn??client-security?authentication-mode?dot1x??dot1x?domain?dm01??service-template?enable # interface?NULL0 # interface?Vlan-interface1??ip?address?192.168.0.100?255.255.255.0 # interface?Vlan-interface10??ip?address?192.168.10.252?255.255.255.0 # interface?GigabitEthernet1/0/7??port?link-mode?route # interface?GigabitEthernet1/0/8??port?link-mode?route #???????????????interface?GigabitEthernet1/0/1 #AC上聯端口??port?link-mode?bridge??port?link-type?trunk??port?trunk?permit?vlan?all # interface?GigabitEthernet1/0/2??port?link-mode?bridge # interface?GigabitEthernet1/0/3??port?link-mode?bridge # interface?GigabitEthernet1/0/4??port?link-mode?bridge # interface?GigabitEthernet1/0/5??port?link-mode?bridge # interface?GigabitEthernet1/0/6??port?link-mode?bridge #??scheduler?logfile?size?16 # line?class?console??user-role?network-admin # line?class?vty??user-role?network-operator # line?con?0??user-role?network-admin # line?vty?0?31??authentication-mode?scheme??user-role?network-operator #??ip?route-static?192.168.10.0?24?192.168.10.254 #靜態路由??ip?route-static?192.168.20.0?24?192.168.10.254?????????#添加靜態路由,否則驗證無法通過??ip?route-static?192.168.30.0?24?192.168.10.254?????????#添加靜態路由,否則AP無法注冊至AC #??undo?info-center?logfile?enable #??radius?session-control?enable #使能radius?session-control功能 # radius?scheme?rd01 #新建radius服務,授權及認證服務器和密鑰??primary?authentication?192.168.20.2?key?cipher?$c$3$H/oG+QiqvYDHlrCjYQtLXoWoKXbOf9mSuU1N??primary?accounting?192.168.20.2?key?cipher?$c$3$4/xA5b5wob1GLTAt+J4pxJJf8NuaSzQOiYn2??key?authentication?cipher?$c$3$bCmB/bA01ZFxZnpa1xxpBCLeIZnQ2uhhp4Ee??key?accounting?cipher?$c$3$NXsfRNwLjlhQw0YMKdmAgf2L2oQFVFGGIGpp??nas-ip?192.168.10.252 #指定Nas-ip,即AC地址 # radius?dynamic-author?server??#開啟并配置Radius?DAE??client?ip?192.168.20.2?key?cipher?$c$3$GRXfDjXnWehlelAEC7r8/UOIFw9OYwzfwvZd # domain?dm01 #新建本地isp??authentication?lan-access?radius-scheme?rd01??authorization?lan-access?radius-scheme?rd01??accounting?lan-access?radius-scheme?rd01 # domain?system #??domain?default?enable?system # role?name?level-0??description?Predefined?level-0?role # role?name?level-1??description?Predefined?level-1?role # role?name?level-2??description?Predefined?level-2?role # role?name?level-3??description?Predefined?level-3?role # role?name?level-4??description?Predefined?level-4?role # role?name?level-5??description?Predefined?level-5?role # role?name?level-6??description?Predefined?level-6?role # role?name?level-7??description?Predefined?level-7?role # role?name?level-8??description?Predefined?level-8?role # role?name?level-9??description?Predefined?level-9?role # role?name?level-10??description?Predefined?level-10?role # role?name?level-11??description?Predefined?level-11?role # role?name?level-12??description?Predefined?level-12?role # role?name?level-13??description?Predefined?level-13?role # role?name?level-14??description?Predefined?level-14?role # user-group?system # local-user?admin?class?manage??password?hash?$h$6$D5QsfpSiuEZF2/U4$8Q1ajQ+0kHYMJjx5sJESu48zPA+O9o+txSM7JQP3MJP6o4DXCQ+PeGwqXGX39NRJZX8HsGSCC1YdCZJCtzUYsg==??service-type?telnet?http?https??authorization-attribute?user-role?network-admin #??ip?http?enable??ip?https?enable #??wlan?auto-ap?enable??wlan?auto-persistent?enable # wlan?global-configuration # wlan?ap-group?default-group??vlan?1 # wlan?ap?38ad-be58-d860?model?WA4320H???serial-id?219801A0YG8178E08438??radio?1??radio?2 # wlan?ap?38ad-be58-d6a0?model?WA4320H???serial-id?219801A0YG8178E08424??radio?1???radio?enable???service-template?1??radio?2????????#??cloud-management?server?domain?oasis.h4c.com # return <WX2560H>
二、服務器配置
1、域服務器配置省略
????? 常規安裝完畢域服務器后,安裝證書服務。
在AD服務器上配置證書服務:
添加證書頒發幾個和證書web注冊
證書服務安裝成功
在Radius服務器上申請證書
有效期為365天
2、Radius服務器配置
Radius服務器配置,分為四個部分。
2.1、新建共享模版
2.2、新建Radius客戶端。
Radius客戶端通常即為AC的地址,部分品牌使用軟AC的無線AP,Radius客戶端為所有AP的IP地址(此種情況下,需要把AP的地址設置為固定IP)
2.3、連接請求策略
連接請求策略和網絡策略互相對應的,通常情況下是一個部門(或一個VLAN)對應一條策略
2.3、網絡策略
網絡策略中,主要設置以下幾個重要的參數:
對應的安全組:此條策略對應的Windows組,通常為一個部門的安全組;
身份驗證方式:EAP類型
framed-protocol:PPP
service-type :framed
tunnel-medium-type: 隧道承載媒介類型為802
tunnel-pvt-group-id:定義所屬的vlan
至此,Radius實現無線用戶動態VLAN配置完成。
免責聲明:本站發布的內容(圖片、視頻和文字)以原創、轉載和分享為主,文章觀點不代表本網站立場,如果涉及侵權請聯系站長郵箱:is@yisu.com進行舉報,并提供相關證據,一經查實,將立刻刪除涉嫌侵權內容。
